GnuPG2, GPGME vulnerability

2007-03-13T00:00:00
ID USN-432-2
Type ubuntu
Reporter Ubuntu
Modified 2007-03-13T00:00:00

Description

USN-432-1 fixed a vulnerability in GnuPG. This update provides the
corresponding updates for GnuPG2 and the GPGME library.

Original advisory details:

Gerardo Richarte from Core Security Technologies discovered that when
gnupg is used without --status-fd, there is no way to distinguish
initial unsigned messages from a following signed message. An attacker
could inject an unsigned message, which could fool the user into
thinking the message was entirely signed by the original sender.